*U.S. officials warn of attacks, including on nuclear plants
*Cyber-attacks underway since at least March 2016, U.S. says

Russian hackers are conducting a broad assault on the U.S. electric grid, water processing plants, air transportation facilities and other targets in rolling attacks on some of the country’s most sensitive infrastructure, U.S. government officials said Thursday.

The announcement was the first official confirmation that Russian hackers have taken aim at facilities on which hundreds of millions of Americans depend for basic services. Bloomberg News reported in July that Russian hackers had breached more than a dozen power plants in seven states, an aggressive campaign that has since expanded to dozens of states, according to a person familiar with the investigation.

"Since at least March 2016, Russian government cyber actors" have targeted "government entities and multiple U.S. critical infrastructure sectors," including those of energy, nuclear, water and aviation, according to an alert issued Thursday by the Department of Homeland Security and Federal Bureau of Investigation.

Critical manufacturing sectors and commercial facilities also have been targeted by the ongoing "multi-stage intrusion campaign by Russian government cyber actors."

This is hardly news. NERC, FERC and the DOE have been involved in this and similar issues for years - and if these "new" attacks have been going on for over a year now we're apparently able to mitigate them.

The fact is, the industry and regulators should be closed mouthed about what they do or don't do.

The breach affected an estimated 150 million users of its food and nutrition application, MyFitnessPal.
The investigation indicates that affected information may include usernames, email addresses, and hashed passwords.

Chloe Aiello
Published 5 Hours Ago Updated 1 Hour Ago CNBC.com

Shares of Under Armour dropped 3.8 percent, before paring losses, after the active-wear company informed users of its online fitness and nutrition website their data had been compromised.

Under Armour announced on Thursday that the breach affected an estimated 150 million users of its food and nutrition application, MyFitnessPal.

The investigation indicates that affected information may include usernames, email addresses, and hashed passwords.

Payment information, which Under Armour collects and processes separately, has not been affected by the breach. Under Armour does not collect government identifiers, like social security numbers and driver's license numbers.

TORONTO/NEW YORK (Reuters) - Retailer Hudson’s Bay Co on Sunday disclosed that it was the victim of a security breach that compromised data on payment cards used at Saks and Lord & Taylor stores in North America.

One cyber security firm said that it has evidence that millions of cards may have been compromised, which would make the breach one of the largest involving payment cards over the past year, but added that it was too soon to confirm whether that was the case.

Toronto-based Hudson’s Bay said in a statement that it had “taken steps to contain” the breach but did not say it had succeeded in confirming that its network was secure. It also did not say when the breach had begun or how many payment card numbers were taken.

“Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring,” the statement said.

The Department of Homeland Security has detected in the Washington area what appears to be the unauthorized use of a controversial technology that allows for the surreptitious surveillance of people’s cellphones — though it has not been able to pinpoint who or what is causing it, the department revealed in a letter released Tuesday.

The technology, a cell-tower simulator commonly known as a StingRay, has been deployed for years by federal and local law enforcement to pinpoint suspects’ locations, though its unauthorized use in the Washington area raises fears that foreign adversaries might also be taking advantage of it to spy on U.S. citizens.

The simulators work by tricking cellphones nearby to register with them, rather than normal cell towers. Once the device finds the phone it is seeking, it can pinpoint the phone’s location. Some versions of the technology can also be used to eavesdrop on calls.

Cisco switch flaw led to attacks on critical infrastructure in several countriesThe attack targets the Cisco Smart Install Client, and as many as 168,000 systems could be vulnerable.

By Conner Forrest | April 6, 2018, 6:26 AM PST

Leveraging a protocol misuse issue in the Cisco Smart Install Client, nation state actors have been able to target cyberattacks at critical infrastructure in many countries.

Cisco has released a new open source tool that scans for the Cisco Smart Install protocol, which may impact more than 168,000 systems.

A flaw in Cisco switches has allowed hackers to target critical infrastructure in many countries with cyberattacks, according to a Thursday security report from the Cisco Talos team. As many as 168,000 systems may be affected by the flaw.

According to the report, attackers are targeting a protocol issue with the Cisco Smart Install Client. If a user doesn't configure or turn off the Cisco Smart Install, it will hang out in the background waiting for commands on what to do.

The post noted that, if abused, the Smart Install protocol can be used to "modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands."

The simulators work by tricking cellphones nearby to register with them, rather than normal cell towers. Once the device finds the phone it is seeking, it can pinpoint the phone’s location. Some versions of the technology can also be used to eavesdrop on calls.

Quick! Into Pruitt's phone booth!!!! It's not paranoia if they really are after you.

"The people must know before they can act, and there is no educator to compare with the press." - Ida B. Wells-Barnett, journalist, newspaper editor, suffragist, feminist and founder with others of NAACP.

Urban Bungle: Atlanta Cyber Attack Puts Other Cities on NoticeThe city has spent the past two weeks restoring online services disrupted by ransomware that held encrypted data hostage

By Larry Greenemeier on April 4, 2018

Soon after Atlanta City Auditor Amanda Noble logged onto her work computer the morning of March 22, she knew something was wrong. The icons on her desktop looked different—in some cases replaced with black rectangles—and she noticed many of the files on her desktop had been renamed with “weapologize” or “imsorry” extensions. Noble called the city’s chief information security officer to report the problem and left a message. Next, she called the help desk and was put on hold for a while. “At that point, I realized that I wasn’t the only one in the office with computer problems,” Noble says.

Those computer problems were part of a high-profile “ransomware” cyberattack on the City of Atlanta that has lasted nearly two weeks and has yet to be fully resolved. During that time the metropolis has struggled to recover encrypted data on employees’ computers and restore services on the municipal Web site. The criminals initially gave the city seven days to pay about $51,000 in the cryptocurrency bitcoin to get the decryption key for their data. That deadline came and went last week, yet several services remain offline, suggesting the city likely did not pay the ransom. City officials would not comment on the matter when contacted by Scientific American.

Lawyers in UK and US allege four firms misused personal data of more than 71m people

British and US lawyers have launched a joint class action against Facebook, Cambridge Analytica and two other companies for allegedly misusing the personal data of more than 71 million people.

The lawsuit claims the firms obtained users’ private information from the social media network to develop “political propaganda campaigns” in the UK and the US.

* * *

As well as Cambridge Analytica, the two firms named in the legal writ are SCL Group Limited and Global Science Research Limited (GSR).

Steve Bannon, Donald Trump’s former campaign and White House adviser, led Cambridge Analytica in 2014, when the data was collected and extracted, the legal papers state.

The Cambridge University neuroscientist Aleksandr Kogan, a founding director of GSR, is also named.

* * *

The claim, the first involving British citizens, has been lodged in the US state of Delaware where Facebook, SCL and Cambridge Analytica are all incorporated. Seven individual plaintiffs, all Facebook users, are named in the writ; five American and two British. The numbers may expand as the case proceeds.

It has been brought under the US Stored Communications Act. US lawyers said the legislation provides for a minimum $1000 (£700) penalty for any violation found by a court, meaning that, if the case goes against Facebook, it could face damages in excess of $70bn.

The FBI has quietly solved a rash of bulk database thefts that affected 168 million users of some of the internet’s most popular websites, The Daily Beast has learned.

The culprit in the breaches is a 28-year-old Arkansas man named Kyle Milliken, who, along with colleagues, stole email addresses and account passwords to feed a lucrative and hugely annoying spam operation that ran from 2010 to 2014.

Last month Milliken was sentenced to 17 months at a federal work camp—a sentence lightened by his cooperation with the FBI. He’s set to begin his sentence on May 24. His case remains under seal in federal court in San Jose, California, and with it the remarkable story of a high school dropout from rural Arkansas who rode a wave of hacking and spam to the pinnacle of California high life, until a moment of carelessness reversed his fortunes overnight.

Milliken’s prison sentence comes as Facebook’s privacy issues are putting a spotlight on the precariousness of individual privacy in an era when every click of a mouse can disclose something personal. For every high-profile data spill like Facebook’s, which affected as many as 87 million users, there are countless more that escape public notice, either because the company that lost the data doesn’t know it or because it chose to keep the breach secret.

“There are hundreds if not thousands of databases that haven’t been disclosed,” said Milliken. “Fifty, sixty, seventy percent of these haven’t been reported. For the most part, people sweep it under the rug.”

Intel is facing another wave of reported security issues that affect the company's processors. The vulnerabilities, called Spectre Next Generation or Spectre NG, have not been disclosed publicly yet.

A report on the German computer magazine site Heise suggests that eight new vulnerabilities were reported to Intel recently. Intel gave four of the eight vulnerabilities a severity rating of high and the remaining four a severity rating of medium according to Heise.

The exploitability of one of the vulnerabilities appears to be higher than that of previous issues as attackers may abuse the issue to break out of virtual machines to attack the host system or other machines, reports Heise.

Companies that provide cloud hosting or cloud services are primary targets for the vulnerability as attackers may exploit it to gain access to data transfers and data.

A soon-to-be-disclosed and massive chip flaw affects more than just Intel chips, according to both sources familiar with the issue and Intel itself.

The issue, which has to do with how modern chips speculatively execute code, leaves a wide range of processors vulnerable to attack. For now the solution appears to be rewriting devices' operating systems, meaning lots of work for Microsoft, Google, Apple and others.

Huh. Yesterday, Linux Mint issued an update to the Ubuntu base. It seemed to me a relatively rare type of update, at least one I haven't noticed. I wonder now if it had to do with this issue. I was planning to look into it today, so thanks, dear Eurobot.

A soon-to-be-disclosed and massive chip flaw affects more than just Intel chips, according to both sources familiar with the issue and Intel itself.

The issue, which has to do with how modern chips speculatively execute code, leaves a wide range of processors vulnerable to attack. For now the solution appears to be rewriting devices' operating systems, meaning lots of work for Microsoft, Google, Apple and others.

Twitter says all 336 million users should change their passwords
by Heather Kelly @heatherkelly
May 3, 2018: 5:23 PM ET

Twitter has recommended its 336 million users change their passwords.

The company announced on Thursday it discovered a bug that saved user passwords unprotected on an internal log.

Twitter said it has since fixed the issue. Although the company said there is no evidence passwords have been leaked or misused, it is urging its users to update their passwords.

"As a precaution, consider changing your password on all services where you've used this password," the company tweeted.

The company protects user passwords via a process called hashing, which shows random characters in place of the actual passwords. But the detected bug stored the passwords in their original plain-text form to an "internal log."

While I don't expect (m)any Fogbowzers encrypting their mail, this is what some guys just found.
I understand that the decryptor parts could leak mail content to a virus on ones computer, it seems to me that keeping encryption in place for the transmission is still preferable over plain text transmisson. Or I misinterpret the suggestion in a way eg only the included automatic decryption ought to be disabled but use separate tools to read message text.

A professor of Computer Security at the Münster University of Applied Sciences‏ has warned that popular email encryption tool Pretty Good Privacy (PGP) might actually allow Pretty Grievous P0wnage thanks to bugs that can allow supposedly encrypted emails to be read as plaintext.

Professor Sebastian Schinzel took to Twitter with the news early on Monday, European time.

Schnizel and his fellow researchers have alerted a few folks about the problem, among them the Electronic Frontier Foundation which has assessed his research and agreed that PGP has flaws.

An EFF advisory says “these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”

“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email,” the EFF’s post said. It also name dEnigmail for Thunderbird, GPGTools for Apple Mail and Gpg4win for Outlook as worthy of disablement, and offers instructions on how to do so.

Chili's Hack May Have Exposed Customers' Names And Payment InfoThe company believes the hack happened in March and April, but it's not sure how many people might have been affected.
By Gabrielle Ware May 14, 2018

If you ate at Chili's in March or April, you may have had your data stolen.

Chili's parent company Brinker International said in a statement this weekend, "While the investigation is still ongoing, we believe that malware was used to gather payment card information, including credit or debit card numbers and cardholder names."

The company believes the incident took only affected in-store payments, but it hasn't determined how many people may have been affected.

Social security numbers, dates of birth and ID numbers were not compromised as Chili's doesn't collect that information from customers.

Chili's is suggesting a variety of actions for potential victims, including monitoring bank statements and putting a freeze on credit accounts.

The FBI on Friday issued a formal warning that a sophisticated Russia-linked hacking campaign is compromising hundreds of thousands of home network devices worldwide and it is advising owners to reboot these devices in an attempt to disrupt the malicious software.

The law enforcement agency said foreign cyber actors are targeting routers in small or home offices with a botnet — or a network of infected devices — known as VPNFilter. ...

"The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices," the bureau's cyber division wrote in a public alert.

"Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware." ...

"The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide."

The FBI has seized a key domain used to infect more than 500,000 home and small-office routers in a move that significantly frustrates a months-long attack that agents say was carried out by the Russian government, The Daily Beast reported late Wednesday.

An FBI affidavit obtained by The Daily Beast said the hacking group behind the attacks is known as Sofacy. The group—which is also known as Fancy Bear, Sednit, and Pawn Storm—is credited with a long list of attacks over the years, including the 2016 hack of the Democratic National Committee.
As Ars reported earlier Wednesday, Cisco researchers said the malware that infected more than 500,000 routers in 54 countries was developed by an advanced nation and implied Russia was responsible, but the researchers didn’t definitively name the country.

Google, Microsoft find another Spectre, Meltdown flawIntel promises patches in the next few weeks. Devices could take a performance hit.

BY ALFRED NG MAY 21, 2018 3:22 PM PDT
FRANCE-US-IT-SECURITY-COMPUTERS

Researchers discover a fourth variant of the Spectre and Meltdown flaws found in hundreds of millions of chips.

Intel and Microsoft on Monday disclosed a newly found variant of the Spectre and Meltdown security flaws, revealing another vulnerability in chips used in hundreds of millions of computers and mobile devices.

Intel is calling the new strain "Variant 4." While this latest variant taps into many of the same security vulnerabilities that were first revealed in January, it uses a different method to extract sensitive information, according to the company.

Intel is classifying Variant 4 as a medium risk because many of the exploits it uses in web browsers were fixed in the original set of patches, according to a blog post from the company. The newly found variant uses something called "Speculative Store Bypass," which could allow your processor to load sensitive data to potentially insecure spaces.

In the US-CERT's advisory, officials said the new flaw would allow attackers to read older memory values on your CPU.

I just learnt about a way of data transmission I was not aware of in this form, eg ultrasonic sounds.

IIRC these were used back in the days as garage door openers prior to the wireless and infrared remote controls.

But the Big Guys have obviously been using ultrassonic sounds as a method to spy on unaware users:

Novel technologies like Google Nearby and Silverpush build upon ultrasonic sounds to exchange information. More and more of our devices communicate via this inaudible communication channel. Ultrasonic communication enables to pair devices, exchange information but also to track users and their behavior across several devices similar to cookies in the web. Every device with a microphone and a speaker is able to send and receive ultrasonic information. The user is usually not aware of this inaudible and hidden data transfer.

To overcome this gap, within the project SoniControl we research the current capabilities of ultrasonic communication and raise awareness for this unknown communication channel. To date there is no technology available that detects ultrasonic communication and that enables the user to protect his or her privacy. We develop a mobile application that detects ultrasonic activity, notifies the user and blocks the information on demand. Thereby, we want to raise the awareness for this novel technology and help users to protect their privacy.